The present invention was made under government contract MIDA904-99-G-0017 with the United States Defense Logistics Agency.
1. Technical Field
The present invention relates to computer network security in general, and in particular to a method and system for providing security to computer networks. Still more particularly, the present invention relates to a method for predicting the impact of an attack on a computer network and taking protective actions to mitigate the impact.
2. Description of the Related Art
The number of attacks on computer networks has been on the rise in recent years. With a better understanding of the inner workings of computer networks, network intruders have become very skillful in taking advantages of the weaknesses of computer networks to obtain unauthorized accesses. Often, network intruders can easily overcome a password authentication mechanism designed to protect a computer network. Network intruders also use patterns of intrusion that are often difficult to trace and identify. They use several levels of indirection before breaking into target systems and rarely indulge in sudden bursts of suspicious or anomalous activity. After compromising an account on a target system, network intruders typically cover their tracks as not to arouse suspicion.
As the number of users within an entity grows, the risks from unauthorized intrusions into a computer network within the entity also increases. In order to maintain a reliable and secure computer network, exposure to potential network intrusions must be reduced as much as possible. Network intrusions can originate either from legitimate users within an entity attempting to access secure portions of the computer network or from illegitimate users outside the entity attempting to break into the computer network. Intrusions from any one of the above-mentioned two groups can compromise the security of the computer network.
One shortcoming of today's intrusion detection systems is that once an intrusion is detected, the response is usually “fixed.” The conventional responses to detected network intrusions have been to contact a system administrator via electronic mail, telephone or pager, or simply log the detected intrusion into a log file for later analysis. These intrusion detection systems are inflexible and do not provide for a real-time response to a network intrusion of an organization's computer network. They also do not attempt to counter or fix the problems arising from the detected network intrusion. Further, they do not provide a flexible upgrade path to take advantage of new technologies, or to adopt to evolving needs of the computer user.
Consequently, it would be desirable to provide an improved method and system for providing network security for computer networks. The improved method and system should respond to computer network intrusions automatically. The improved method and system should provide a true real-time response to a detected network intrusion instead of simply a notification.